Safeguarding Customer Information The Servicer has implemented and will maintain security measures designed to meet the objectives of the Interagency Guidelines Establishing Standards for Safeguarding Customer Information published in final form on February 1, 2001, 66 Fed. Reg. 8616 and the rules promulgated thereunder, as amended from time to time (the “Guidelines”). The Servicer shall promptly provide the Master Servicer, the Trustee and the NIMS Insurer information reasonably available to it regarding such security measures upon the reasonable request of the Master Servicer, the Trustee and the NIMS Insurer which information shall include, but not be limited to, any Statement on Auditing Standards (SAS) No. 70 report covering the Servicer’s operations, and any other audit reports, summaries of test results or equivalent measures taken by the Servicer with respect to its security measures to the extent reasonably necessary in order for the Seller to satisfy its obligations under the Guidelines.
Compliance with Safeguarding Customer Information Requirements The Servicer has implemented and will maintain security measures designed to meet the objectives of the Interagency Guidelines Establishing Standards for Safeguarding Customer Information published in final form on February 1, 2001, 66 Fed. Reg. 8616, and the rules promulgated thereunder, as amended from time to time (the “Guidelines”). The Servicer shall promptly provide the Seller information regarding the implementation of such security measures upon the reasonable request of the Seller.
Privacy of Customer Information Company Customer Information in the possession of the Agent, other than information independently obtained by the Agent and not derived in any manner from or using information obtained under or in connection with this Agreement, is and shall remain confidential and proprietary information of the Companies. Except in accordance with this Section 10.10, the Agent shall not use any Company Customer Information for any purpose, including the marketing of products or services to, or the solicitation of business from, Customers, or disclose any Company Customer Information to any Person, including any of the Agent’s employees, agents or contractors or any third party not affiliated with the Agent. The Agent may use or disclose Company Customer Information only to the extent necessary (i) for examination and audit of the Agent’s activities, books and records by the Agent’s regulatory authorities, (ii) to protect or exercise the Agent’s, the Custodian’s and the Lenders’ rights and privileges or (iii) to carry out the Agent’s, the Custodian’s and the Lenders’ express obligations under this Agreement and the other Facilities Papers (including providing Company Customer Information to Approved Investors), and for no other purpose; provided that the Agent may also use and disclose the Company Customer Information as expressly permitted by the relevant Company in writing, to the extent that such express permission is in accordance with the Privacy Requirements. The Agent shall take commercially reasonable steps to ensure that each Person to which the Agent intends to disclose Company Customer Information, before any such disclosure of information, agrees to keep confidential any such Company Customer Information and to use or disclose such Company Customer Information only to the extent necessary to protect or exercise the Agent’s, the Custodian’s and the Lenders’ rights and privileges, or to carry out the Agent’s, the Custodian’s and the Lenders’ express obligations, under this Agreement and the other Facilities Papers (including providing Company Customer Information to Approved Investors). The Agent agrees to maintain an Information Security Program and to assess, manage and control risks relating to the security and confidentiality of Company Customer Information pursuant to such program in the same manner as the Agent does so in respect of their own customers’ information, and shall implement the standards relating to such risks in the manner set forth in the Interagency Guidelines Establishing Standards for Safeguarding Company Customer Information set forth in 12 CFR Parts 30, 208, 211, 225, 263, 308, 364, 568 and 570. Without limiting the scope of the foregoing sentence, the Agent shall use at least the same physical and other security measures to protect all Company Customer Information in the Agent’s possession or control as the Agent uses for their own customers’ confidential and proprietary information.
Customer Information CPNI of a Customer and any other non-public, individually identifiable information about a Customer or the purchase by a Customer of the services or products of a Party.
Processing of Customer Personal Data 3.1 UKG will:
3.1.1 comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and
3.1.2 not Process Customer Personal Data other than for the purpose, and in accordance with, the relevant Customer’s instructions as documented in the Agreement and this DPA, unless Processing is required by the Data Protection Laws to which the relevant UKG Processor is subject, in which case UKG to the extent permitted by the Data Protection Laws, will inform Customer of that legal requirement before the Processing of that Customer Personal Data.
3.2 Customer hereby:
3.2.1 instructs UKG (and authorizes UKG to instruct each Subprocessor) to: (a) Process Customer Personal Data; and (b) in particular, transfer Customer Personal Data to any country or territory subject to the provisions of this DPA, in each case as reasonably necessary for the provision of the Services and consistent with the Agreement.
3.2.2 warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instructions set out in Section 3.2.1 on behalf of each relevant Customer Affiliate; and
3.2.3 warrants and represents that it has all necessary rights in relation to the Customer Personal Data and/or has collected all necessary consents from Data Subjects to Process Customer Personal Data to the extent required by Applicable Law.
3.3 Schedule 1 to this DPA sets out certain information regarding UKG’s Processing of Customer Personal Data as required by Article 28(3) of the GDPR (and equivalent requirements of other Data Protection Laws).
Safeguards for Personal Information Supplier agrees to develop, implement, maintain, and use administrative, technical, and physical safeguards, as deemed appropriate by DXC, to preserve the security, integrity and confidentiality of, and to prevent intentional or unintentional non-permitted or violating use or disclosure of, and to protect against unauthorized access to or accidental or unlawful destruction, loss, or alteration of, the Personal Information Processed, created for or received from or on behalf of DXC in connection with the Services, functions or transactions to be provided under or contemplated by this Agreement. Such safeguards shall meet all applicable legal standards (including any encryption requirements imposed by law) and shall meet or exceed accepted security standards in the industry, such as ISO 27001/27002. Supplier agrees to document and keep these safeguards current and shall make the documentation available to DXC upon request. Supplier shall ensure that only Supplier’s employees or representatives who may be required to assist Supplier in meeting its obligations under this Agreement shall have access to the Personal Information.
Safeguarding The Local Authority has overarching responsibility for safeguarding and promoting the welfare of all children and young people in their area. They have a number of statutory functions under the 1989 and 2004 Children Acts which make this clear, and the ‘Working Together to Safeguard Children’ 2015 guidance1 sets these out in detail.
Handling Sensitive Personal Information and Breach Notification A. As part of its contract with HHSC Contractor may receive or create sensitive personal information, as section 521.002 of the Business and Commerce Code defines that phrase. Contractor must use appropriate safeguards to protect this sensitive personal information. These safeguards must include maintaining the sensitive personal information in a form that is unusable, unreadable, or indecipherable to unauthorized persons. Contractor may consult the “Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals” issued by the U.S. Department of Health and Human Services to determine ways to meet this standard.
B. Contractor must notify HHSC of any confirmed or suspected unauthorized acquisition, access, use or disclosure of sensitive personal information related to this Contract, including any breach of system security, as section 521.053 of the Business and Commerce Code defines that phrase. Contractor must submit a written report to HHSC as soon as possible but no later than 10 business days after discovering the unauthorized acquisition, access, use or disclosure. The written report must identify everyone whose sensitive personal information has been or is reasonably believed to have been compromised.
C. Contractor must either disclose the unauthorized acquisition, access, use or disclosure to everyone whose sensitive personal information has been or is reasonably believed to have been compromised or pay the expenses associated with HHSC doing the disclosure if:
1. Contractor experiences a breach of system security involving information owned by HHSC for which disclosure or notification is required under section 521.053 of the Business and Commerce Code; or
2. Contractor experiences a breach of unsecured protected health information, as 45 C.F.R. §164.402 defines that phrase, and HHSC becomes responsible for doing the notification required by 45 C.F.R. §164.404. HHSC may, at its discretion, waive Contractor's payment of expenses associated with HHSC doing the disclosure.
Protection of Customer Data The Supplier shall not delete or remove any proprietary notices contained within or relating to the Customer Data. The Supplier shall not store, copy, disclose, or use the Customer Data except as necessary for the performance by the Supplier of its obligations under this Call Off Contract or as otherwise Approved by the Customer. To the extent that the Customer Data is held and/or Processed by the Supplier, the Supplier shall supply that Customer Data to the Customer as requested by the Customer and in the format (if any) specified by the Customer in the Call Off Order Form and, in any event, as specified by the Customer from time to time in writing. The Supplier shall take responsibility for preserving the integrity of Customer Data and preventing the corruption or loss of Customer Data. The Supplier shall perform secure back-ups of all Customer Data and shall ensure that up-to-date back-ups are stored off-site at an Approved location in accordance with any BCDR Plan or otherwise. The Supplier shall ensure that such back-ups are available to the Customer (or to such other person as the Customer may direct) at all times upon request and are delivered to the Customer at no less than six (6) Monthly intervals (or such other intervals as may be agreed in writing between the Parties). The Supplier shall ensure that any system on which the Supplier holds any Customer Data, including back-up data, is a secure system that complies with the Security Policy and the Security Management Plan (if any). If at any time the Supplier suspects or has reason to believe that the Customer Data is corrupted, lost or sufficiently degraded in any way for any reason, then the Supplier shall notify the Customer immediately and inform the Customer of the remedial action the Supplier proposes to take. If the Customer Data is corrupted, lost or sufficiently degraded as a result of a Default so as to be unusable, the Supplier may: require the Supplier (at the Supplier's expense) to restore or procure the restoration of Customer Data to the extent and in accordance with the requirements specified in Call Off Schedule 8 (Business Continuity and Disaster Recovery) or as otherwise required by the Customer, and the Supplier shall do so as soon as practicable but not later than five (5) Working Days from the date of receipt of the Customer’s notice; and/or itself restore or procure the restoration of Customer Data, and shall be repaid by the Supplier any reasonable expenses incurred in doing so to the extent and in accordance with the requirements specified in Call Off Schedule 8 (Business Continuity and Disaster Recovery) or as otherwise required by the Customer.
Third-Party Information; Privacy or Data Protection Laws Each Party acknowledges that it and its respective Subsidiaries may presently have and, after the Effective Time, may gain access to or possession of confidential or proprietary Information of, or personal Information relating to, Third Parties: (i) that was received under confidentiality or non-disclosure agreements entered into between such Third Parties, on the one hand, and the other Party or the other Party’s Subsidiaries, on the other hand, prior to the Effective Time or (ii) that, as between the two parties, was originally collected by the other Party or the other Party’s Subsidiaries and that may be subject to and protected by privacy, data protection or other applicable Laws. Each Party agrees that it shall hold, protect and use, and shall cause its Subsidiaries and its and their respective Representatives to hold, protect and use, in strict confidence the confidential and proprietary Information of, or personal Information relating to, Third Parties in accordance with privacy, data protection or other applicable Laws and the terms of any agreements that were either entered into before the Effective Time or affirmative commitments or representations that were made before the Effective Time by, between or among the other Party or the other Party’s Subsidiaries, on the one hand, and such Third Parties, on the other hand.
